- From: Pete Freitag <pete@foundeo.com>
- Date: Tue, 18 Nov 2014 10:52:20 -0500
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAADZ8V44J71c=1RkaTN2zLvk=xfcLSSBFifdZY+g-gcYqa8DGA@mail.gmail.com>
Consider: <link rel="icon" href="http://cdn.example.com/icon.png" type="image/png"> Should it fall under 3.1 Optionally Blocked Content or 3.2 Blockable content? Currently both FF & Chrome treat it Optionally Blockable content (they allow the content to load) with an a priori insecure origin. There is an implementation difference in handling the rel=icon case between FireFox and Chrome currently. FF will treat it as if an insecure image was loaded (replaces lock with warning icon) and logs a console message, but Chrome simply allows it to load. Should the spec be updated to list link rel=icon as Optionally Blocked Content (if it is not listed there, then it should be blocked according to the current editors draft)? Treating it the same as an image makes sense to me, but it may be a case that could be treated as blockable content because it is not terribly catastrophic if the favicon does not load IMHO. I'd be happy to either send a pull request to the spec (to treat as Optionally Blockable content) or file bugs with the browsers to treat it as blockable content. Are there other cases for the link tag that should be considered? For example: <link rel="alternate" type="application/rss+xml" href=" http://example.com/rss/"> I'm less concerned about that one since it is pretty much just a link, both FF & Chrome do not warn if the href is an priori insecure origin. -- Pete Freitag http://content-security-policy.com/ - CSP Reference
Received on Tuesday, 18 November 2014 15:53:12 UTC